Make TikiWiki more secure against future potential vulnerabilities (hardened TikiWiki)

Regression bugs introduced in 1.9.10.1 (which were ok in 1.9.9)

(07:01:41) peter__: Hello
(07:03:16) peter__: Just installed Tiki and now have the problem that the registration code as image does not show up (tiki-random_number). Any suggestions?
(07:04:35) sylvieg: check you have imagick or gd installed
(07:05:32) peter__: gd is installed and for example pictures are shown in galleries.
(07:17:38) marclaporte: peter__: which version?
(07:17:55) marclaporte: I saw a bug fix to that file recently (dunno if related)
(07:29:47) lphuberdeau_: problem introduced in 1.9.10 or 1.9.10.1 with the additional checks
(07:30:06) lphuberdeau_: fix is in CVS, was waiting for more reports before making an other release
(07:32:51) lphuberdeau_: tiki-login_validate.php and tiki-random_num_img.php were modified since the release
(07:33:58) marclaporte: you can get them here: http://tikiwiki.cvs.sourceforge.net/tikiwiki/tiki/?pathrev=BRANCH-1-9
(08:29:06) peter__: lphuberdeau_: Thanks for the hint!
(08:39:48) peter__: Report: tiki-login_validate.php and tiki-random_num_img.php from CVS fixed the problem with the registration code image. Thanks.

This was a bug introduced while making Tiki more secure (a little too secure in this case). Below are the tweaks needed to be done to 1.9.10.1:

New pre-emptive securitycheck.php script. This check, which is now part of the release procedures, checks every single potentially dangerous file (.php, .sh, etc) to make sure it follows some basic checks (such as: a feature check, permission check, verify that it can't be called directly if it shouldn't, etc.). If you are not using feature X you will no longer potentially be affected in a security issue which is discovered in a feature using that file. If you are using that feature, you can turn it off until you upgrade.

Adding feature and permission checks to all files to comply with the securitycheck.php script described above.

Developer scripts now have extra protection to make sure they can't be run from the web (on a badly configured server).

Some useless files were deleted.

Fixes

Fix a username/password/registration bug issue which was introduced in 1.9.9.

Image Gallery: Fixed the next-prev glitch which was introduced recently.

Why Register?

Register at tiki.org and you'll be able to use it at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.

Subscribe to Tiki Newsletters!

Delivered fresh to your email inbox!Don't miss major announcements and other news!